Usual HTTPS setup requires certificate that is signed by some rich authority and requires [monthly] fees and periodic maintenance (to prevent expiring). This way Firefox displays happy green badge that certificate is OK and users knows that he connects to server at least managed by someone rich enough to afford a certificate.

Simple HTTPS setup is based on self-signed certificate (or some temporary "advertisment offer" of some minor certificate authority). While connecting to this server Firefox almost always shows Big Fat Warning that can frighten users and lower the usability of site. So the simplest way of solving it is just to ignore security and revert to plain unencrypted HTTP.

How to make the traffic from Firefox encrypted (at least from passive sniffing), but not so high security level that requires third parties? Something like in OpenSSH.

4 Answers
4

StartSSL provides free community-validated certificates, it may be of interest for you. The green badge is only obtained trough Extended Validation, which isn't free.

SSL is still secure against passive sniffing even with untrusted certificates.

If it is for your own usage, creating your own CA is fine. Knowledgeable people will not accept to include your homemade CA in their browser - it allows you to impersonate any SSL website to them as long as you are the man in the middle.

If you are interested in the global Internet community not getting the warning then you are pretty much out of luck. You need to have an SSL certificate from a certificate authority that Firefox knows about, otherwise people with get that prompt. You can get very inexpensive SSL certs from CA's that Firefox is already configured to trust out of the box.

If you have a smaller community of people that you are working with then you can generate your own SSL certificates and set up your own certificate authority to validate them. In doing this, though, you will have to have a way for all of your users add your certificate authority as a trusted CA in Firefox so that it will validate your certificate and give them the happy green badge you're striving for.

"very inexpensive" are usually more expensive than my VPS rent.
–
Vi.Jul 19 '10 at 15:48

2

@Vi: GoDaddy sells them for $50 US over 2 years last I checked. They're not my favorite company to work with, but if your VPS rent is less than that I'd like to talk to your provider!
–
squillmanJul 19 '10 at 15:58

This sums it up: Pay or have the security warning. +1
–
John GardeniersJul 19 '10 at 17:54

1

@Vi - It's not quite that simple. It costs money to establish the infrastructure and trust relationships behind commercial certificates. Those companies which have invested that money clearly expect a return on their investments. I'm sure you don't do your job for free.
–
John GardeniersJul 19 '10 at 21:29

I work at a higher education institute in the United States. If you work for a qualifying institution (IANAL, so don't ask me), you can get a valid two-year cert from a Spanish certificate authority, ipsCA. If you follow that link, you can see it is in what I feel is intentionally tiny print. We have used it at our institution for some utility boxes, but I am not sure it went into production services AFAIK.

This is not to say it does not have its fair share of problems. We had to disable OCSP checking for some people in our group because the browser would suffer very long timeouts regarding this cert. We could not figure out why until much later, and then the timeouts stopped being an issue. The bug status does not make it clear whether this will be resolved in the future. But hey, free is free.

Edit: I cannot post more than one link because I am too inexperienced to handle myself on this site, according to the cutesy error message. Look up Firefox bug 529286 and OCSP on the Mozilla wiki to see what I am talking about.

If you sign up with StartCom, you can get a free SSL certificate which is accepted as valid by both Firefox and IE. It's not community validated, but validated by proving that you own the domain (or at least have access to the postmaster, webmaster or hostmaster accounts).